main/build/api/core/AuthSystemDefault.php

264 lines
7.1 KiB
PHP
Raw Permalink Normal View History

<?php
namespace api\core;
use \error\core\Error;
use \error\core\Err;
use \api\core\AuthSystem;
use \database\core\Repo;
class AuthSystemDefault implements AuthSystem{
public function __construct(){
self::check();
}
/* INITIALISATION DU SYSTEME ET MISE A JOUR CONSTANTES D'AUTHENTIFICATION
*
*
*/
public static function check(){
/* (1) Initialisation
---------------------------------------------------------*/
if( !isset($_SESSION['TOKEN']) ) $_SESSION['TOKEN'] = [];
if( !isset($_SESSION['AUTH']) ) $_SESSION['AUTH'] = [];
if( !isset($_SESSION['PERM']) ) $_SESSION['PERM'] = [];
if( !isset($_SESSION['USER']) ) $_SESSION['USER'] = [];
if( !isset($_SESSION['ADMIN']) ) $_SESSION['ADMIN'] = [];
/* (2) Gestion de AUTH (authentification)
---------------------------------------------------------*/
$AUTH = '';
/* (1) Si Auth dans HEADER, on le récupère */
if( isset($_SERVER['PHP_AUTH_DIGEST']) && is_string($_SERVER['PHP_AUTH_DIGEST']) )
$AUTH = $_SERVER['PHP_AUTH_DIGEST'];
/* (2) Si SESSION déja connectée -> no récupère le token */
elseif( isset($_SESSION['TOKEN']) && is_string($_SESSION['TOKEN']) )
$AUTH = $_SESSION['TOKEN'];
/* (3) Gestion de AUTH en fonction des tokens
---------------------------------------------------------*/
/* (1) Token Authentication: ADMIN */
if( preg_match('/^a([a-f0-9]{128})$/', $AUTH, $match) )
$_SESSION['AUTH'] = [ 'token' => $match[1], 'type' => 'admin' ];
/* (2) Token Authentication: USER */
elseif( preg_match('/^u([a-f0-9]{128})$/', $AUTH, $match) )
$_SESSION['AUTH'] = [ 'token' => $match[1], 'type' => 'user' ];
/* (2) Aucune authentification */
else{
$_SESSION['TOKEN'] = [];
$_SESSION['AUTH'] = [];
$_SESSION['USER'] = [];
$_SESSION['ADMIN'] = [];
}
/* (4) On vérifie l'authentification par BDD
---------------------------------------------------------*/
if( !self::deepCheck() ){
$_SESSION['TOKEN'] = [];
$_SESSION['AUTH'] = [];
$_SESSION['USER'] = [];
$_SESSION['ADMIN'] = [];
}
}
/* VERIFICATION DE L'AUTHENTIFICATION
*
*
*/
private static function deepCheck(){
/* [1] Si aucune authentification
=========================================================*/
if( self::auth_level() == 0 )
return false;
/* [2] Si authentification token -> ADMIN
=========================================================*/
if( self::auth_level() == 2 ){
/* (1) Fetch admin by token */
$fetched_admin = Repo::request('admin', 'getByToken', $_SESSION['AUTH']['token']);
/* (2) If does not exist -> no auth */
if( !is_array($fetched_admin) )
return false;
/* (3) Update global admin informations */
$_SESSION['ADMIN'] = [
'id' => $fetched_admin['id_admin'],
'username' => $fetched_admin['username'],
'mail' => $fetched_admin['mail']
];
}
/* [3] Si authentification token -> USER
=========================================================*/
if( self::auth_level() == 1 ){
/* (1) Fetch user by token */
$fetched_user = Repo::request('user', 'getByToken', $_SESSION['AUTH']['token']);
/* (2) If does not exist -> no auth */
if( !is_array($fetched_user) )
return false;
/* (3) Update global user informations */
$_SESSION['USER'] = [
'id' => $fetched_user['id_user'],
'username' => $fetched_user['username'],
'mail' => $fetched_user['mail']
];
}
/* [5] Si pas d'erreur d'authentification, on retourne TRUE
=========================================================*/
return true;
}
/* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES
*
* @expected<array> Liste de listes de combinaisons de permissions attendues
*
* @return error<Error> Si FALSE, pas la permission, sinon si
*
*/
public static function permission($expected){
$error_propag = [];
/* [1] Check format -> if not array of array(s) -> ERROR
=========================================================*/
/* (1) If not array -> ERROR */
if( !is_array($expected) )
return new Error(Err::FormatError);
/* (2) If not array of array(s) -> ERROR */
foreach($expected as $permissions)
if( !is_array($permissions) )
return new Error(Err::FormatError);
/* [2] Foreach each set of permission
=========================================================*/
foreach($expected as $permission_group){
/* If granted -> don't go further */
$error_propag[] = self::check_permission_group($permission_group);
if( $error_propag[count($error_propag)-1]->get() == Err::Success )
return new Error(Err::Success);
}
/* [3] By default return `PermissionError`
=========================================================*/
if( count($error_propag) > 0 )
return $error_propag[count($error_propag)-1];
return new Error(Err::PermissionError);
}
/* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES
*
* @expected<array> Liste des permissions attendues
*
* @return error<int> Err:: error constants
*
*/
private static function check_permission_group($expected){
/* [1] Gestion de l'AUTH (authentification)
=========================================================*/
/* (1) Si entrepot requis, mais manquant
---------------------------------------------------------*/
if( in_array('admin', $expected) && ( self::auth_level() < 2 || !isset($_SESSION['ADMIN']['id']) ) )
return new Error(Err::PermissionError);
/* (2) Si admin requis, mais manquant
---------------------------------------------------------*/
if( in_array('user', $expected) && ( self::auth_level() < 1 || !isset($_SESSION['USER']['id']) ) )
return new Error(Err::PermissionError);
/* (3) On retire 'admin', et 'user' de @expected
---------------------------------------------------------*/
$adminIndex = array_search('admin', $expected);
$userIndex = array_search('user', $expected);
if( is_int($adminIndex) ) unset($expected[$adminIndex]);
if( is_int($userIndex) ) unset($expected[$userIndex]);
/* [2] Gestion des permissions CUSTOM
=========================================================*/
/* (1) Vérification de toutes les permissions requises */
foreach($expected as $permission)
// Si il manque au minimum une permission, on retourne FALSE
if( !in_array($permission, $_SESSION['PERM']) )
return new Error(Err::PermissionError, $permission);
/* [4] Si on a toutes les permissions requises
=========================================================*/
return new Error(Err::Success);
}
/* RENVOIE LE NIVEAU D'AUTHENTIFICATION
*
* @return auth<int> Niveau d'authentification (0 à 2)
*
*/
public static function auth_level(){
/* (1) Not set */
if( !is_array($_SESSION['AUTH']) || !isset($_SESSION['AUTH']['token']) || !isset($_SESSION['AUTH']['type']) )
return 0;
/* (2) Admin / User */
return ($_SESSION['AUTH']['type'] == 'admin') ? 2 : 1;
}
}
?>